Is WordPress Secure? Here’s What the Data Says

WordPress is, by far, the most popular way to build a website. That popularity has the unfortunate side effect of also making WordPress sites a juicy target for malicious actors all across the world. And that might have you wondering whether WordPress is secure enough to handle those attacks.

First – some bad news: Every year, hundreds of thousands of WordPress sites get hacked.

Hackers aren’t getting in due to vulnerabilities in the latest WordPress core software. Rather, most sites get hacked from entirely preventable issues, like not keeping things updated or using insecure passwords.

As a result, answering the question of “is WordPress secure?” requires some nuance. To do that, we’re going to cover a few different angles:

Statistics on how WordPress sites actually get hacked, so you understand where the security vulnerabilities are.

How the WordPress core team addresses security issues, so you know who’s responsible and what they are responsible for securing.

If WordPress is secure when you follow best practices, so you know if your website will be safe.

How WordPress Sites Get Hacked (By The Data)

Ok, you know that plenty of WordPress sites are getting hacked each year. But…how is it happening? Is it a global WordPress issue? Or does it come from those webmasters’ actions?

Here’s why most WordPress sites get hacked, according to the data that we have…

Out-of-Date Core Software

Here’s an unsurprising correlation from Sucuri’s 2017 Hacked Website Report. Of all the hacked WordPress sites Sucuri looked at, 39.3% were running out-of-date WordPress core software at the time of the incident.

Hacked websites (Image source: Sucuri)

So right away, you can see a pretty close relationship between getting hacked and using out-of-date software. However, this is definitely an improvement over 61% from 2016. 👏

According to the WPScan Vulnerability Database, ~74% of the known vulnerabilities they logged are in the WordPress core software. But here’s the kicker – the versions with the most vulnerabilities are all way back in WordPress 3.X:

WPScan list of known vulnerabilities

But – unfortunately – only 62% of WordPress sites are running the latest version, which is why many sites are still unnecessarily vulnerable to those exploits:

WordPress 4.7.1 contained multiple vulnerabilities that were eventually used to deface those sites. But…weeks before the vulnerabilities were exploited, WordPress 4.7.2 was released to fix all of those vulnerabilities.

All the WordPress site owners who hadn’t disabled automatic security patches or otherwise had promptly updated to WordPress 4.7.2 were safe. But those who didn’t apply the update weren’t.

Takeaway: The WordPress Security Team does a great job at quickly fixing issues in the WordPress core software. If you promptly apply all security updates, it’s highly unlikely that your site experiences any issues as a result of core vulnerabilities. But if you don’t, you take a risk once an exploit gets out into the wild.

2. Out-of-Date Plugins Or Themes

One of the things people love about WordPress is the dizzying array of available plugins and themes. As of writing this, there are over 56,000 on the WordPress repository, and thousands of additional premium ones scattered across the web.

While all those options are great for extending your site, each extension is a new potential gateway for a malicious actor. And while most WordPress developers do a good job of following code standards and patching any updates as they become known, there are still a few potential issues:

A plugin or theme has a vulnerability and, because there aren’t as many eyes on it as the WordPress core software, that vulnerability goes undetected.

The developer has stopped working on the extension but people are still using it.

The developer quickly patches the issue, but people just don’t update.

So how big is the issue?

Well, in a survey from Wordfence of hacked website owners, over 60% of the website owners who knew how the hacker got in attributed it to a plugin or theme vulnerability.

Wordfence hacked website survey (Image source: Wordfence)

Similarly, in Sucuri’s 2016 report, just 3 plugins accounted for over 15% of the hacked websites they looked at.

Sucuri hacked plugin list

Here’s the kicker, though:

The vulnerabilities in those plugins had long since been patched – site owners just hadn’t updated the plugin to protect their site.

Takeaway: WordPress themes and plugins introduce a wildcard and can open your site to malicious actors. Much of this risk can be mitigated by following best practices, though. Keep your extensions updated and only install extensions from reputable sources.

We also have to mention these GPL clubs you might see floating around the internet where you can get any premium WordPress plugin or theme for just a couple dollars. While WordPress is licensed under GPL, which is awesome and one reason we love it, buyer beware. These are sometimes also referred to as nulled plugins.

Buying plugins from GPL clubs mean you’re trusting a third-party to grab the latest updates from the developer and a lot of times you won’t get support. Getting plugin updates from the developer is the safest route. Also, we are all about supporting developers and their hard work!

3. Compromised Login Credentials For WordPress, FTP, or Hosting

Ok, this one isn’t really WordPress’ fault. But a non-trivial percentage of hacks are from malicious actors getting their hands on WordPress login credentials, or the login credentials for webmasters’ hosting or FTP accounts.

In that same Wordfence survey, brute force attacks accounted for ~16% of hacked sites, with password theft, workstation, phishing, and FTP accounts all making a small, but noticeable, appearance.

Once a malicious actor gets the metaphorical key to the front door, it doesn’t matter how otherwise secure your WordPress site is.

WordPress actually does a great job mitigating this by automatically generating secure passwords, but it’s still up to users to keep those passwords safe and also use strong passwords for hosting and FTP.

For hosting accounts, use two-factor authentication if available and never store your FTP password in plaintext (like some FTP programs do).

If you have a choice between FTP and SFTP (SSH File Transfer Protocol), always use SFTP. This ensures that no clear text passwords or file data is ever transferred. We only support secure connections at Kinsta.

4. Supply Chain Attacks

Recently, there have been some instances where hackers gain access to sites through a nasty trick called a supply chain attack. Essentially, the malicious actor would:

Purchase a previously high-quality plugin listed at WordPress.org

Add a backdoor into the plugin’s code

Wait for people to update the plugin and then inject the backdoor

Wordfence has a deeper explanation if you’re interested. While these types of attacks are by no means widespread, they are harder to prevent because they result from doing something you should be doing (keeping a plugin updated).

Struggling with downtime and WordPress problems?

Kinsta provides an all-in-one hosting solution designed to save you time! Let us handle the nitty-gritty stuff (caching, backups, etc.), and you focus on what you do best, which is growing your business.

With that being said, the WordPress.org team usually quickly spots these issues and removes the plugin from the directory.

Takeaway: This one can be hard to prevent because it’s a good thing to always update to the latest version. To help, security plugins like Wordfence can alert you when a plugin is removed from WordPress.org so that you quickly address it. And a good backup strategy can help you roll back without any permanent damage.

5. Poor Hosting Environment And Out-Of-Date Technology

Beyond what’s happening on your WordPress site, your hosting environment and the technologies that you use make a difference, too. For example, despite PHP 7 offering many security enhancements over PHP 5, only ~33% of WordPress sites are using PHP 7 or higher.

PHP 5.6’s security support officially expires at the end of 2018. And earlier versions of PHP 5 haven’t had security support for years.

That means using a hosting environment using PHP 5.6 or below will soon open you up to the potential of unpatched PHP security vulnerabilities.

Despite that fact, a whopping ~28% of WordPress websites are still using PHP versions under 5.6, which is a huge issue when you consider that recently we’ve seen record years for the number of discovered PHP vulnerabilities.

Beyond giving you access to the latest technologies, using secure WordPress hosting can also help you automatically mitigate many of the other potential security vulnerabilities with:

Takeaway: Using a secure hosting environment and recent versions of important technologies like PHP helps further ensure that your WordPress site stays safe.

Who’s Responsible For Keeping WordPress Secure?

Now you might be wondering, who’s responsible for combating all the issues above?

Officially, that responsibility falls to the WordPress Security Team (though individual contributors and developers from around the world also play a huge role in keeping WordPress secure).

The WordPress Security Team is “50 experts including lead developers and security researchers”. About half of these experts work at Automattic. Others work in web security, and the team also consults with security researchers and hosting companies.

If you’re interested in a detailed look at how the WordPress Security Team functions, you can watch Aaron Campbell’s 48-minute talk from WordCamp Europe 2017. But in general, the WordPress Security Team:

The WordPress Security Team has a policy of disclosure which means that, once they’ve successfully patched the bug and released the security fix, they publicly disclose the issue (this is part of why so many sites were defaced in 2017 – they still hadn’t applied the update even after the security team publicly disclosed the bug).

What the WordPress Security Team does not do is check all the themes and plugins at WordPress.org. The themes and plugins at WordPress.org are manually reviewed by volunteers. But that review is not “a guarantee that they are free from security vulnerabilities”.

So – Is WordPress Secure If You Follow Best Practices?

If you look at all the data and facts above, you’ll see this general trend:

Choose plugins and themes wisely and only install extensions from reputable developers/source. Beware of GPL clubs and nulled plugins/themes.

If you have a choice between FTP and SFTP, always use SFTP.

Use strong passwords for WordPress, as well as your hosting and SFTP accounts (and two-factor authentication if available).

Don’t use “admin” for your username.

Keep your own computer free from viruses.

Use a TLS certificate (HTTPS) so all communication with your WordPress site (such as logging into your dashboard) is encrypted. Kinsta provides free HTTPS certificates!

Utilize SSH keys. This provides a more secure way of logging into a server and eliminate the need for a password.

Pick a host with a secure environment and use the latest technologies like PHP 7+.

…then WordPress is secure and your site should remain hack-free both now and in the future. If you’re a Kinsta client, you also don’t need to worry. If by an off chance your site is hacked, we’ll fix it for free!

If you enjoyed this article, then you'll love Kinsta’s WordPress hosting platform. Turbocharge your website and get 24x7 support from our veteran WordPress team. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our plans

Hand-picked related articles

Comments

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.

Chad Barnes
September 4, 2018 at 12:38 pm

Awesome! You guys just made the case we make for SkyrocketWP (https://skyrocketwp.com), our WordPress maintenance solution. We perform weekly updates to the core, theme, and plugin files. If an update doesn’t go well, then we troubleshoot the issue and/or restore to a backup. If a plugin or theme goes in-updates for more than 12 months, we examine it and, if necessary, strategize with clients to find safer alternatives.

As an encouragement to you guys (and validation of the Kinsta security claims you made above), all of our sites are hosted at Kinsta, and we’ve never had a security issue!

Follow us

A cookie is a piece of information that a website stores on a visitor’s computer. We use this for some functionality on our website to work properly, collecting analytics to understand and improve a visitor’s experience, and for personalized advertising. You can accept all cookies at once or fine-tune your preferences in the cookie settings.

Cookie settings

Accept cookies

Thanks, we've saved your settings, you can modify them any time on the cookie settings page

Cookie settings

Necessary cookies

Details

These cookies are needed for our website to function providing payment gateway security and other essentials. Therefore they are always on but they do not contain personally identifiable information (PII).

Name

Purpose

Cookie Settings

If you've set preferences (which cookies you accept and which you don't) we store your preferences here to make sure we don't load anything that you didn't agree to.

WordPress Cookies

WordPress sets a couple of cookies that track logged in users and store user preferences set in their WordPress user profile. These are set for members of the Kinsta website only - members of our staff.

Stripe

Stripe is our payment provider and they may set some cookies to help them with fraud prevention and other issues. This is required for our payments to work.

Affiliate cookie

This cookie contains information about the affiliate who refered a visitor. The cookie contains no information about the visitor whatsoever.

Google Analytics

Analytics help us deliver better content to our audience. We have made sure no personally identifiable information (PII) is sent by anonymizing IPs.

Newsletter Participation

If you sign up for our newsletter we'll remove the newsletter subscription box for you. This cookie has not personal data it just indicates if you have signed up.

Analytics cookies

Details

Analytics cookies allow us to gather data to help us better understand our visitors and offer them a better experience.

Select

Provider

Purpose

Google Optimize

Set and used by Google. It allows us to A/B test our content to make sure we're providing visitors with what they need most.

Marketing cookies

Details

Marketing cookies help us target our ads better. We mainly use them to target ads to users who have visited Kinsta.

Select

Provider

Purpose

Twitter

Set and used by Twitter, used for targeting advertisements and promoting content to users who have visited kinsta.com.

LinkedIn

Set and used by LinkedIn, used for targeting advertisements and promoting content to users who have visited kinsta.com.

Facebook

Set and used by Facebook, used for targeting advertisements and promoting content to users who have visited kinsta.com.

AdWords

Set and used by Google Ads for remarketing, personalization, and targeting advertisements to users who have visited kinsta.com. (Google Ads Settings)

Bing

Set and used by Bing Ads for remarketing, personalization, and targeting advertisements to users who have visited kinsta.com. (Bing Ads Settings)

Quora

Set and used by Quora, used for targeting advertisements to users who have visited kinsta.com.